On Wed, Jul 30, 2008 at 06:16:20PM +0100, Kurt Zeilenga wrote:
> On Jul 30, 2008, at 4:33 PM, Jorge Medina wrote:
>> Do anybody knows where I could get the PGP keys to verify the
>> integrity of the source code I downloaded from a mirror?
> PGP is not used to sign releases or release announcements.
> To verify the integrity of a tarball download from ftp.openldap.org
> a mirror, you can check it against the SSHA1 and/or MD5 hashes
> published as part of the announcement for the release (posted to
> openldap-announce(a)openldap.org , archived in that list's archives).
> Hash verification is not intended to detect instances where
hosted services have been hijacked or otherwise seriously
However only offering the option to verify the hashes using unsigned
emails or non-https publications on a web site is offering up many
more attack vectors.
PGP-signing the hashes would solve this problem and is bog standard
practice in many (most?) projects and I would like to see it offered by
I'd support the approach with digitally signing the source tar.gz files.
I'm doing it for years when releasing web2ldap source packages. It's
just part of a simple script. Therefore I've filed ITS#5639 for that.